The “Stripe” of Identity

16 April 2015

Making Payments easy is a very hard thing to do (see post).. the same can be said of authentication. Apple has created a new standard for biometrics/identity and authentication with TouchID.. and platform security (with iPhone 6). Problem for entities needing to authorize using Touch ID (ex Banks) is that Apple doesn’t pass the raw biometrics.. its actually against the law in Europe (which makes sense as fingers are rather hard to re-issue). 

How can banks leverage Touch ID for authentication/authorization of their bank app? There are 3 parts to the problem:

  1. integration with Touch ID (Trust of TouchID),
  2. Trust of the Phone (phone ID)
  3. Authorization for the Service. 

I can’t believe I’m going to write this next part.. it breaks most of my rules.. but a Bank Consortium has actually innovated!!  Early Warning’s purchase of Authentify may be the best bank innovation of the last 10 years. With Authentify, banks now have a consistent way to implement biometrics, manage trust, and authorization across iOS, Android and other platforms.  See press release below. 

http://www.earlywarning.com/news/press-releases/2015/early-warning-to-acquire-authentify.html

Early Warning’s other components include Payfone (jointly owned by US Banks, US MNOs and Amex), and the US banking industry’s top secret fraud fighting utility (which has migrated from ACH, Checks, Debit into Credit and lending) .

Early Warning has completely remade itself over the last 5 years.. becoming a the US Banking Industry’s best consortium for innovation and value creation. Congrats to CEO Paul Finch and his fabulous product, M&A and Tech team.. and to all of his bank members for making this possible. 

Chip and Signature!?

4 Decemberblue_credit_card

I finally received my very first EMV compliant piece of plastic from Citi this week. As I travel frequently to Asia and LATAM I’m very happy. This should help me avoid situations like being stuck at Vancouver Airport without anyway to buy a tram ticket from their ATM like ticket machine. Just one thing missing in the package.. a PIN. !!

I went online to see why there was no PIN https://www.citi.com/credit-cards/template.do?ID=chip-technology-questions

chip and signature

Can you believe it… we now have something unique to the US.. CHIP and SIGNATURE!?

Wikipedia tells me that the US, Australia and NZ are the primary countries for this model… I described some of the dynamics in my 2012 blog “EMV Battle Impacts Mobile Payments

From Chip and PIN to Chip and Choose? Visa wants  encourage signature as these transactions must be routed through them.. my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets. The availability of real time approval means nothing if you don’t know WHO you are approving for WHICH CARD.  PIN answers the “who” question and the chip is the account number or “how” you are going to pay. I just can’t believe that Visa has come up with this story.. but they must in order to support “contactless”. Most consumers don’t know that today contactless transactions have limits. These limits are set by the issuer, in Europe they are typically around $25. However the issuer can choose to increase the limit (no PIN required), or require a PIN with a contactless payment.  All of this is a little absurd for Visa as PIN is always viewed as key to authentication, AND Visa just waved the signature requirement for mobile payments. So no signature required for Square.. but Visa wants it optional at the merchant POS so it can retain the volume?….  Expect some Regulatory involvement here.

 

Large Merchants are very, very aware of this strategy to improve the credit transaction mix and make mobile/contactless payments a “premium” service. The top 20 retailers have put their foot down and said “no way” will we be putting contactless readers in our store (MCX members particularly). The terminals that they are ordering DO NOT have contactless capabilities.. only EMV chip and PIN. Most retailers agree that signature is a worthless authentication mechanism. Visa clings to signature in order to ensure transactions are routed through them. Expect MCX to look toward a PIN model..

 

So this EMV “battle” has many sides to it.. it impacts mobile payment adoption, EMV rollout, plastic re-issuer, consumer behavior, consolidation of national PIN debit networks, EMV compliant ATMs

So WHY chip and SIGNATURE? The 30 second summary is that “Perfect Authentication” is a Nightmare to Banks (see blog). If there is no risk.. then anyone can be a card issuer. (Credit risk as opposed to the billion dollar fraud/authorization systems).

Business Drivers

Visa/MA

  • PIN is not a desirable consumer behavior, PIN is despised by both Banks and Visa
  • Grease the skids for contactless EMV. Who wants to waive their phone and THEN enter a PIN!? Visa/MA understand that it makes no sense to force a PIN on plastic and provide a “pass” for a waive.
  • PIN provides fantastic fraud prevention and therefore decreases the NEED for other risk management services (by Network and Bank)
  • Ensure that transactions are routed through them (signature debit is primary transaction type at risk).
  • The January 2013 Visa Mandate was a complete surprise to Issuers. I asked a top 3 card issuing CEO why did you commit to EMV. “Tom I found out about it the way you did, in a press release.. Visa has yet to come by my office to discuss EMV”. This gives you an idea on issuer relations. Why did Visa push EMV? to encourage reterminalization and enable mobile (credit card) payments.  Visa knew the big issuers would hate it.. but the Chip and Signature was a “meet in the middle” strategy. Visa created opportunity to enable contactless, and big issuers kept their PIN less advantages.

Issuers

  • Shifts Fraud to Merchants who do not have compliant POS payment terminals
  • Allows large banks to continue to leverage their multi billion dollar investment in fraud infrastructure (Signature + $$ Fraud Infrastructure == security of Chip and PIN)
  • Keeps consumer behavior away from PIN
  • Big banks win, enabling them to leverage multi-billion dollar fraud system investments at the expense of smaller banks. Banks that can not make the investments will be challenge to support contactless, or EMV, without PIN. This again demonstrates how large banks continue to exert substantial leverage over the card networks in rule making and incentives.
  • The only EMV products coming out in the US are Credit based. Payment strategy is centered around increasing consumer use of credit card products.
  • See my blog on PIN Debit (Signature Debit is Dead).,PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009 fraud numbers: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (interchange and fraud; 96% of PIN fraud losses assumed by issuers, vs 56% in Signature). Source FRB report

We have an environment where Large Banks and Networks are purposely rolling out a less secure payment product. From the FRP report  http://www.frbatlanta.org/documents/rprf/rprf_pubs/120111_wp.pdf

PIN verification provides superior protection against fraud losses… Signature based losses were 13 bps compared to 3.5 bps for PINfraud dollar losses 2

Obviously PIN is more secure, and DEBIT is where EMV should be focused.. But banks DON’T WANT TO MAKE DEBIT SECURE (no margin here). To a non-payments geek this must look completely insane. Is there any wonder that large merchants are working together on a new payment network (MCX)? To understand the payments industry you must throw out all logic.. and look at the incentives. Moves here are NOT logical..  Networks are measured on volume, the entities which are in control of volume are Issuers (switch portfolios). Merchants are motivated by cost of acceptance.

Perfect Authentication… A Nightmare?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

4 Nov 2013

Long blog.. load of typos

As I’ve stated before, this blog has been a great way to make new friends and stay in touch with my 100s of friends and former employees around the world. When you are in a small company you tend to lose touch with what else is going on as you no longer have 1000s of folks feeding you market intelligence. Small companies live and die by the risks they take, and I’m primarily focused on reducing risk by sharing G2 and perspective.worry-about-identity-theft-confession-ecard-someecards

Industry History (experts can skip this section)

I’m fortunate to have worked with some of the best teams in both Security and Fraud areas. Back in 1998 I ran Oracle’s Payment and Security National Practice where we did things like PKI, Single Sign On, as well as Oracle’s first Java application: iBill and Pay (built on Oracle’s first Application Server OAS which scaled to 40 users regardless of hardware). I switched from the tech side to the business side in 02, and can assure you that running online Banks keeps you in the security AND Fraud space. In 2008 I left Citibank to go to 41st Parameter (just acquired last month by Experian). 41st Parameter was founded by a visionary fraud prevention guy.. Ori Eisen, with a focus device ID.

From a Commercial/operational perspective there is always friction between the security teams and the Fraud/Operations teams. The security teams are always working to enhance security, the fraud and operations teams are always working to mop up the mess from any holes in security and create proactive processes by which they can stop it. As I said in my blog last week, if I let security guys have their way with authentication …. customer experience would be awful.. and no one would use online banking. Hence we have services like Risk Based Authentication, Honey Pots, Fraud Controls, …

This same Security vs. Fraud dynamic plays out in payments. From the 1970s to the 1990s banks had built their authorization infrastructure around tools like HNC’s Falcon to create rules based authorization, with daily tuning of rules based upon fraud. Today Banks continue to invest billions of dollars in fraud and risk infrastructure (see blog). The metaphor for competition here

If you are camping with your friends and a hungry bear comes to your campsite.. you don’t have to be faster than the bear.. you just have to be faster than at least one other camper.

Thus the rule of thumb: fraudsters always attack the easiest target. Big bank billion dollar fraud platforms thus drive fraud to smaller competitors. This enables the large banks with sophisticated controls to derive higher margins in payment products, which drives incremental investment.  This is one reason why large US banks are so resistant to EMV (it levels the playing field). Fraud numbers in the US are not well reported, the best data is from my friend in the UK (see UK Card Association).  Large US banks were not involved (or informed) of Visa/MA’s plans to mandate EMV. As one CEO told me personally “Tom .. to this DAY Visa has never come by my office to discuss EMV, I found out about it the same way you did.. in a PRESS RELEASE.. “ [Top 3 Issuer].

In the late 90s Banks were not prepared for Card Not Present (CNP) Transactions that came from eCommerce. Their fraud systems (ex HNC Falcon rules) were not tuned for this type of transaction. Actually, banks really didn’t care much here because 100% of fraud loss was borne by the merchant. The only Bank impact was helping the customer deal with fraud (and reissuing cards). Thus RETAILERs began investing in Fraud systems and 3rd Party specialists (GSI, CYBS, 41st P, Digital River, 2CO, PayPal, …) emerged to help manage fraud on behalf of retailers. LARGE retailers followed the same path as large banks, investing in custom fraud infrastructure (ie Amazon, Apple, Google, Airlines, …).

Banks thus ceded eCommerce risk management to 3rd parties until around 2003 where 3DSecure was developed (See Wiki. Implemented as VBV by Visa and MSC by Mastercard). Merchants were incented to adopt the scheme by a liability shift (to banks) and an interchange reduction of 5-10bps. Rollout of the scheme in Europe was a disaster (see UK Guardian). Banks now owned a mountain of new fraud losses (as 3DS technology was broken), with only ONE tool to address: Decline Transactions. See my 2010 blog and Schneier’s: Online Credit/Debit Card Security Failure

Mobile

Banks are determined to avoid their prior mistakes, in eCommerce risk/roles,  and take a leadership position in mobile (ie payments, risk, authentication, data, … ). I’ve detailed their efforts in:

Why is mobile so important to Banks?

#1 PRIMARY INTERACTIVE customer touchpoint. 10 years ago, how did you interact with your bank when you were away from home, work and a branch? The only interaction you had was a piece of plastic.  Mobile enables a new class of Services.. but ALL mobile services must add value. The rest of these priorities pale in comparison to consumer touch… Banks are thus experimenting on what they COULD DO with mobile to remake banking.

#2 Authentication. Confirming identity of consumer.

#3 Risk Management. Both gaining additional consumer insight, and enabling new levels of risk control based on this data.

#4 Remaking of Retail Banking (reducing cost to serve)

#5 Mobile Payment.

#6 Partnerships. Sales, Distribution

I’ve touched on #1 many times, but before I go to Authentication/Authorization/Risk, let me provide a brief recap of my many blogs covering the “other services”. As I outlined in Card Linked Offers, Banks don’t realize is that just because you CAN interact with the consumer doesn’t mean that the consumer WILL. You must actually deliver VALUE if you want to capture consumer TIME. Having run 2 of the largest online banks I know what customers do. Retail Customers log in 3 times a week, check their balance, pay a bill or two and log off (180 seconds later).  Bank CEOs.. I gave my recommendation on what you SHOULD be doing in my Bank NewCo blog.

Authentication – THE Lynch Pin

As I stated in Who do you Trust,

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software (from NFC to the SIM). …[ If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.

and in Authentication – A Core Battle for Monetizing Mobile

As Ross Anderson said “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past.

Beyond Authentication, mobile also plays SUBSTANTIALLY on the risk side, as it enables Banks to interact OVERTLY and COVERTLY with the customer. For example a risk system could ask: is the customer’s cell phone within 20 yards of their transaction (at X merchant).  Or even issue the customer a one-time PIN (or PIN request) to complete transaction.

Perfect Authentication – A threat to Banks?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

If we made an inventory of payment systems (technical investment) between merchant to consumer bank we would see today’s systems, processes and rules would be DESTROYED by a future state of connectivity and authentication. I’m sure this one line statement will be questioned “prove it”, but I don’t have time.. I’ll leave it to someone else. Take this statement for what it is: my opinion.

Authentication is 0-1, Risk and Fraud deal in shades of grey. For example, if there is a CHANCE that Joe Smith is a really a the end of the transaction, and he is my wealth customer, I’ll let him in the door, see what he wants to do and then risk it based on it. I certainly won’t LOCK HIM OUT.  Another example, if I could authenticate a customer why do I need to make the transaction secure? This is the BEAUTY of the Square “pay with your name” scenario.  Why do I need tokens? Someone just needs to map consumer ID to payment types.

The very concepts of payment “products” begins to dilute. No more credit, debit, pre-paid, Amex, ACH, check, … In a world of perfect Authentication “old line” products evolve toward dumb pipes as competition shifts to speed and cost (not risk).

From Cash Replacement

Networks are designed around a value proposition.  For payments to flourish, a coordinated system of instructions which can be read by trusted participants is necessary. Providers of payment services must consider what network participants are providing in order to collaborate in risk management and settlement; the greater the number of consumers and businesses that participate, the greater the collaboration and interdependency. As more people adopt the payment system, its value increases, since it provides access to more people; this encourages larger networks. Not only do the benefits increase as the network expands, but the per unit cost of service falls. This behavior is the basis for what economists refer to as a “network effect”.

Once a payment system reaches a “critical mass”, economic value will be created at the ends of networks. At the core- the point most distant from users-generic, scale-intensive functions will consolidate. At the periphery-the end closest to users-highly customized connections with customers will be made. This trend pertains not only to technological networks but to networks of banks as well as small merchants and even to consumers who engage in shared tasks9. From a payment network perspective, this means that the “routing” of payments will provide much less revenue opportunity than managing the end points (e.g. the customer interaction or the products which are sold on the network).

…] Payment networks are inherently “sticky” with investments required by consumers, merchants, and banks for effective functioning. Payment networks also have substantial government involvement to support Commerce and Treasury functions that ensure stability, resilience and protection of parties. Innovation in payments is challenged by this network dynamic. As most small companies know, getting a bank to make a decision is tough… but nothing compared to getting 4-6 groups (issuers, acquirers, merchants, MNOs, Regulators, networks, ..) to collaborate in making coordinated change. A level of difficulty that is only superseded by the challenge new entrants face in competing directly against these existing networks.

A truely jaw dropping piece of research was completed last month by philippon_newfig1NYU’s Thomas Philippon (  http://www.voxeu.org/article/where-wal-mart-when-we-need-it).

The cost of intermediation grows from 2% to 6% from 1870 to 1930. It shrinks to less than 4% in 1950, grows slowly to 5% in 1980, and then increases rapidly to almost 9% in 2010

In other words Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). This is BY DESIGN as the orchestrators of banking have successfully created constructs to squeeze COMMERCE. Further demonstrating that existing payment networks are incapable of leading ANY FORM creative destruction. As I stated in Commerce Battlefield

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). … (Also see Push Payments)

Regulation… the KEY

Payments, telecom, commerce, customer data, … all are regulated (merchants … not so much). Banks are completely justified in seeking solutions to their current regulatory burden. After all they bear most of the AML, BSA, CPFB, FED, OCC, .. burdens here. What needs to happen is that regulators must allow non-bank entities to bear risk. This is where innovation occurs. See blog US Payment Innovation and Regulation

Authentication – A Core Battle for Monetizing Mobile

Those of you with more than 15 yrs in the industry will remember dedicated T1 lines that moved data in secure pipes from one location to another. We now have VPNs, transaction signing and encryption that allows for use of generic pipes between COMPANIES. Authentication at a USER LEVEL will now permit yet a finer grained LEVEL of Secure Services and Data ACROSS companies. Today we have Cloud services from Apple, Amazon, Google but how do you navigate amongst them? How can a Start Up develop services that SPAN them? Authentication and is Key…. And MNOs may be best placed to deliver this service.

16 October

I was delighted to see yesterday’s announcement on Verizon’s updated authentication efforts (UIIS), the American Banker Article pointed to a consumer focus,

“We want to be the world’s largest identity provider,” says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions.

I’ve always held this is a tremendous opportunity for MNOs given their distribution, ability to physically site and verify both consumer and phone, as well as their network management capability (ex. know where the device is). In fact one of my oldest blogs (4 years ago) laid out the high level opportunity.

What are some of its problems on web today? Junk mail, Spam, Phishing, Pharming, Trust, Fraud, Passwords everywhere, card numbers everywhere, consumer data/cookies, beacons, …  much of this is caused by ubiquitous anonymity. Consumers should have the right to be anonymous, after all I don’t give a physical store my ID when I walk in to shop.  But what if I wanted to be known?

Remember the early visions of “web services” A technical panacea where I could combine distributed processes from multiple providers acting on distributed data. Much of this never came to fruition because there was little trust, no service levels, and no way to distribute revenue.  Web service architecture took off fantastically within an organization… but corporate success required  resolving the issues above (as well as securing the pipes).

Those of you with more than 15 yrs in the industry will remember dedicated T1 lines that moved data in secure pipes from one location to another. We now have VPNs, transaction signing and encryption that allows for use of generic pipes between COMPANIES. Authentication at a USER LEVEL will now permit yet a finer grained LEVEL of Secure Services and Data ACROSS companies. Today we have Cloud services from Apple, Amazon, Google but how do you navigate amongst them? How can a Start Up develop services that SPAN them?  Authentication and is Key…. And MNOs may be best placed to deliver this service.

What problems could authentication (via mobile) “solve”?

#1 Payments – Of course this is the top of my list. My favorite quote from Ross Anderson “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past. I could write a book on this topic alone. A key REQUIREMENT for authentication to IMPACT payments is that ALL ACTORS (Bank, Retailer, Regulators) must RECOGNIZE and TRUST the services of the AUTHENTICATION PROVIDER. I would love to see the Fed lead here in creating a certification process…

In a perfect world, the following happens

  1. Legislation to create requirement (by Banks) to: recognize independent authentication services which comply w/ Fed, clear authorized payments in under 24 hrs, absolve banks of compliance responsibilities for authenticated payments (if they don’t own authentication).
  2. Fed creates Payment Authentication certification, requires banks to keep Auth at transaction level and absolves banks from compliance issues for authenticated transactions (assuming authenticated party was NOT on an AML list).
  3. Banks adapt systems to comply, or Fed enables transactions directly in a new real time service (with integrated authentication per transaction).  This is what happens when international banks provide remote consumers wire transfer capabilities (as in James Bond)
  4. … 10 yrs later…

#2 Fraud. Medicare, Obamacare, Welfare, Pension, …  A phone with integrated biometrics could make a very significant dent in $80B of false claims (FBI estimate).

#3 Better Auth leads to DUMBER PIPES. Look at what happened to our economy the last time we had a generic network where anyone could build.  Better authentication will allow us to REWIRE COMMERCE… with the Banks as a primary loser (note I spelled it correctly today).

#4 New Services. A corollary to #3. Integrating cloud and data across providers and across platforms.  The realization of an early web services vision… Consumers could have control over provisioning and “orchestration” of their data. For example allowing health care data to be shared with doctor (for second opinion), or allowing merchant transaction data to be shared with Google or Proctor and Gamble for a fee.  The receiver must be able to trust both the consumer’s permission and the source (3rd party validation). … Possibilities are endless (and exciting).

#5 Digital Signatures. Applying and COMPLETING a loan application, college application, commitment to purchase, contracts, licenses. Enabling the US to catch up with Singapore on eGovernment, and making our lives easier. Improving the ability to open new accounts also increases competition as intuitions must compete for our business daily.

Other thoughts appreciates.

Who do you Trust?

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?

9 Sept 2013

(sorry for typos.. on the road and will proof later)iPhone-6-Fingerprint-Detection-And-Apple-Release-Date-Rumors

WSJ article today on Apple’s biometric led me to believe the mainstream press is “missing” it. As I outlined in Payments as Part of the OS, generically for all handsets in Stage 4 Value Shift, and specific projections for Apple in Apple and NFC – Part 2:

  • Handsets are becoming a commodity, cameras screen resolution, battery life are no longer differentiators
  • New differentiator is “Value Orchestration” across physical and virtual worlds
  • Apple and Google are best placed to perform this service, and do so today from “cloud access” to music, pictures, calendars, documents, to storage of personal information like cards, social,
  • The “KEY” to value orchestration is owning the customer relationship. Identifying and Authenticating the customer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.
  • Authentication is of little value if the platform is not “secure” and offers no unique services to Authenticate. IOS and Android started life as relatively unsecure operating systems, where “control” over individual app access to phone data was “regulated” by testing vs. enforced in platform security.NFCActors

Platform Future

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software. From NFC to the SIM. Once security is in place, there is no reason Apple could not release a version of their phone with SIM virtualization/emulation. Could you imagine having 2-5 options at any given instant, using whatever carrier has best coverage and least cost given your current location… Perhaps even competing w/ Wi-Fi ? Of course this would destroy carrier subsidies.. but perhaps it may be worth buying an unlocked phone.. and carriers become dumb pipes competing to deliver the best service. There are a few regulatory roadblocks in the way.. but I am painting a future view that is already occurring in some markets (See dual SIM phones in India).

The implications for Android are much more significant than for IOS, given the number of Telecos that have leveraged Google’s baseline Android to create customized versions. If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

Trust – Everyone wants to play

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.where value lives

Bank strategy seems to center on control of existing networks. What they don’t realize is that the harder they work to build barriers to entry, the greater the value of finding ways around them. A public example is Google’s acquisition of Zave Networks in 2011.  Prior to taking your credit card at the POS, there is another settlement process in place.. one around coupons (which are a legal form of tender). In this coupon environment, P&G or General Mills’ accounts are debited and the consumers account is credited. In this financial settlement system, there is no limit on what accounts can participate… This example perfectly represents the “innovator’s dilemma” where a “good enough” network supplants an incumbent as the nature of competition changes.

I was with a top 3 bank CEO this year, who was confident that they would win the MCX business. I asked why. Response was “we have these Retailer’s investment banking business and handle most of their processing today”.. My response “when did you bring them customers or help with them compete”? He just did not understand the nature of his competition, it was not about cost of processing… the NATURE of competition in payments is changing.  (See Retailer as Publisher)

Who do I trust?

I’m an ex banker and can tell you that Banks take the trust role very seriously. They are regulated and monitored.. I had to take 40 online tests a year to ensure I understood compliance, regs, …etc. What a nightmare! Is it any wonder why this environment is not ripe for innovation. Can you imagine what the CFPB would do to a big bank when it had customer data not related to an account? It would have to explain why they had the data, how they obtained it, the customer agreement terms, what they would do with it, the safegaurds around use, storage, retrieval, how they planned to make money from it..  Its like your mother in law sitting next to you everyday asking you what you are doing.  I certainly Trust a bank.. but they will never ever get anything done here.  They need partners, but they want to dominate the relationship.. The country w/ most advance model of Bank led “trust” authority is Korea (see link).

I love Google and think everyone of their employees is working to “do no evil”. They are the most well meaning and least “nafarious” fortune 50 I have ever worked with.. but they are use to getting data for free and selling it back in services. Consumer safeguards seem rather absolute.. and their data stores are so massive and intertwined its hard to pull it apart, particularly when a “consumer” relates to an account(s) and device(s)… Google knows things about me that I have not specifically permissioned them for, They have the capability to be secure, but few current services where that is an imperative (payments, Google Drive).

Apple is from another planet, there is just no one else like them in keeping secrets. How do they do it? Yes I trust Apple.. they only know what I tell them…. I like this model.. If I added healthcare info to my iCloud account.. I have confidence it would be secure.

MNOs. This is a breakout business for them (See KYC $5B opportunity). GREAT authentication means physical verification of customer/credentials. I believe US MNOs are in a position to deliver this service through Payfone… but it must be integrated to local physical distribution channels for a “new” account type. This is where digital signatures could really take off… from signing mortgage documents to account applications..  I believe MNOs are best placed for the Trust role because of their physical distribution channels and knowledge of consumer.  Forget about ISIS.. if you own authentication everything else is dependent on you.

Side Note: Paypal is getting far too much attention

They had a slew of new product releases last week. All focused on “convenience” not on COST or customer acquisition. As I outlined.. Paypal is nowhere in off-ebay mobile payments ($1B – see my 10k Breakdown), they are under attack as processors like FirstData refuse to route their physical payment. The only prospective customers of Paypal are services, or Branded retailers that restrict distribution, as the eBay marketplace encourages price competition for distributed CPG products. Jamba Juice, Dunkin Donuts, and Under Armor are example prospects.. Consumer adoption is driven by frequency of use.. If Paypal can’t make traction in Grocery, Gas or Transit their prospects are very bleak.

From a network perspective Physical POS was NEVER PayPal’s focus.. it is not what they do, or why their current consumers and merchants use them.

EMV in US? No Way

Update Sept 2014

Did EMV in the US happen? Well to the surprise of issuers, Visa announced a scheme change in the US in August 2011 (see PR). The big issuers were not consulted about this program prior to rollout, as the dynamics described below in my previous article were occurring. Additionally banks were working on a new scheme that would leapfrog EMV: Tokenization.  The large banks were working on this scheme without the involvement of Visa and MA. If successful, this new token scheme would have bypassed V/MA altogether. I believe one of the reasons for this EMV push by Visa was to reassert its control of the network. Today we see quite a bit of friction remaining here between issuers and networks. See my blog on Chip and Signature for a view on some of the remaining chaos.

The new EMVCo token scheme announced in October 2013, formalized in March 2014 and rolled out first with ApplePay in Sept 2014 is the new “best” scheme on the planet. In this scheme, the networks have taken over the original bank token model. Of course banks can also serve as TSPs, but none of them are currently prepared (as of Sept 2014).


 

Original Oct 2009 A

As I was reading an article concerning “why US Card issuers should move to EMV”, I was struck by the amount of “disconnectedness” on this topic in the industry.

A quick background for those unfamiliar:

  • EMV is a “Chip” that replaces the mag stripe on a credit card http://en.wikipedia.org/wiki/EMV
  • Rolled out in Europe in 2004 w/ hope that fraud would go down (it actually just shifted to Card not present “CNP” transactions)
  • European issuers are also acquirers. In US these functions have been separated w/ exception of AMEX
  • Europeans banks are complaining that US cards in EMEA markets and EMEA cards in US markets are the weaknesses in their beautiful vision of a “Chip world”. EMEA acquirers are also threatening to stop accepting US (mag stripe) cards.
  • US Adoption of EMV would take 10+ yrs for banks to re-issue cards and for all merchants to replace all terminals that use the mag strip.
  • Issuers in the US don’t collaborate very often because of anti-trust concerns. Rules are set by networks… in which banks are Board members. Big banks like competing through “best practice” in fraud management. Small issuers have trouble in the arms race.

US Issuers are exercising sound judgment in not jumping on the EMV bandwagon, yet many industry pundits (without access to the data) continue to push a POV that we in the US are somehow backward. Just take a look at the UK fraud data, the card losses have grown from 122M GBP in 1997 to 531M GBP in 2007, and 610GBP in 2008. What did the EMV investment “buy” the UK issuers? A detailed look at this fraud data (APACs confidential) shows that fraud adapted to the next weakest point in the card chain: CNP.

The US banks are highly motivated to do the right thing here, but the solution requires coordinated movement by 4+ highly fragmented groups (Issuers, Acquirers, Networks, Merchants).  The US banks do get together to discuss these topics, primarily at the Philadelphia Fed.  The top request from the banks (to their regulators) was to free their hands in working together on fraud and standards without fear of anti-trust reprisals.. A request that took on no owner, as the number of agencies involved were challenged to work between themselves (FTC, OCC, Fed, …)

http://www.philadelphiafed.org/payment-cards-center/publications/update-newsletter/2009/spring/spring09_06.cfm

Independent of the political challenges that the issuers face in the US, EMV is not the initiative to bring them together.

  • Old technology (will not last the 10yrs it will take to roll out in US)
  • Expensive (POS, Card). Costs are not borne equally in network
  • No proof point, fraud did not go down in UK, CNP was not addressed. http://www.computeractive.co.uk/computeractive/news/2238913/apacs-releases-fraud-figures
  • Fraud Shifts to the next weakest point, it is not static
  • Big issuers like to compete on risk management
  • No benefit from “incremental” rollout of any technology (below)
  • “Health” of issuers (below)

The “true” benefits of EMV will not occur until there is 100% adoption at POS (complete elimination of the mag stripe), and all other weaknesses are addressed (primarily CNP). That is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout.

Where there is chaos there is opportunity…

With respect to card use at the POS in the US, prospects for NFC in mobile handsets is very exciting. NFC enabled handsets provide great customer convenience and the cost(s) are not borne by the banks. I highly recommend the business whitepaper below for those interested in the subject.

http://www.gsmworld.com/documents/gsma_pbm_wp.pdf

Other Data

NCL losses of Top Issuers for 3Q09

Top 5 issuers have seen their businesses deteriorate substantially, as NCLs moved from ~3% in 2007 to 10-12% currently. 3Q09 Examples (Data is for QUARTER)

  • – Citi.  NCL of $4.2B,
  • – JPMC. NCL 9.41% (ex WaMu) Card Net Income ($700M) for quarter
  • – BAC. NCL $5.47B, 12.9%
  • – CapOne. NCL $2.3B, 10%

 

http://www.javelinstrategy.com/2009/08/06/emv-us-magnetic-stripe-credit-cards-on-brink-of-extinction/

Who can you Trust? Online Reputations…

So you’re a politician and you want to have “friends”… or a rich and famous actress and want to have followers on your Tweet. Well there seems to be answer for you… that money can buy.

https://www.mturk.com/mturk/welcome

I’m sure MechanicalTurk is not the only service.. but I had an “innocence lost” moment for social networking. Here are some of the buyers listed on mturk:

  • www.overtimesportswear.com is pay $0.01 if you become a fan.  If you post a positive review, they will pay a bonus (not stated).
  • http://whoozy.com will pay $0.20 if you tweet about them
  • Elki Media will pay $0.15 if you follow them on twitter

How many decisions are made based upon following a crowd. Swarm intelligence is particularly relevant here. How do people decide to follow a crowd and what events trigger it? Do consumers “trust” because the swarm is around it? This is not necessarily something new, as mainstream media has “defined” many issues that are probably not issues at all. It’s a media swarm that sometimes takes hold.

For financial institutions, PR, brand and marketing managers should be on top of swarms effecting their institutions. When swarms develop, customer facing employees must have responses to customer questions/concerns, and legal should be prepared to react to any disparagement. A very good tool to keep track of brand use online is MarkMonitor.

As a consumer, I found issues surrounding the portability of trust very interesting. We have credit bureaus and bank services like ITAC to manage financial identity theft.. perhaps there will be more services like http://trureputationscore.com/ to assess your online reputation. Many employers today take a look at services like LinkedIn and Facebook to see what kind of network you have… Perhaps they don’t know that now they can be bought.. .

Other Reading

Trust Agents: Using the Web to Build Influence, Improve Reputation, and Earn Trust